Add SMB attributes for users

SMB attributes are used by Samba domain controller when reporting details about IPA users via LSA DCE RPC calls. Based on the initial work from the external plugin: https://github.com/abbra/freeipa-user-trust-attributes Related: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Tibor Dudlák <tdudlak@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-04-02 16:23:09 +02:00
parent 339771b0d8
commit c18ee9b641
6 changed files with 219 additions and 8 deletions
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -361,6 +361,42 @@ return {
                    fields: [
                        { $type: 'multivalued', name: 'carlicense' }
                    ]
+                },
+                {
+                    name: 'smb_attributes',
+                    label: '@i18n:objects.smb_attributes.title',
+                    show_cond: ['oc_ipantuserattrs'],
+                    fields: [{
+                            name: 'ipantlogonscript',
+                            tooltip: {
+                                title: '@i18n:objects.smb_attributes.ipantlogonscript_tooltip'
+                            }
+                        },
+                        {
+                            name: 'ipantprofilepath',
+                            tooltip: {
+                                title: '@i18n:objects.smb_attributes.ipantprofilepath_tooltip'
+                            }
+                        },
+                        {
+                            name: 'ipanthomedirectory',
+                            tooltip: {
+                                title: '@i18n:objects.smb_attributes.ipanthomedirectory_tooltip'
+                            }
+                        },
+                        {
+                            name: 'ipanthomedirectorydrive',
+                            $type: 'select',
+                            options: IPA.create_options([
+                                'A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:',
+                                'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
+                                'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'
+                            ]),
+                            tooltip: {
+                                title: '@i18n:objects.smb_attributes.ipanthomedirectorydrive_tooltip'
+                            }
+                        }
+                    ]
                }
            ],
            actions: [
@@ -444,6 +480,7 @@ return {
                    IPA.user.self_service_other_user_evaluator,
                    IPA.user.preserved_user_evaluator,
                    IPA.user.no_password_evaluator,
+                    IPA.object_class_evaluator,
                    IPA.cert.certificate_evaluator
                ],
                summary_conditions: [
@@ -576,6 +613,7 @@ IPA.user.details_facet = function(spec, no_init) {
        });

        var user_command = that.details_facet_create_refresh_command();
+
        batch.add_command(user_command);

        var pwpolicy_command = rpc.command({
--- a/install/updates/75-user-trust-attributes.update
+++ b/install/updates/75-user-trust-attributes.update
@@ -0,0 +1,5 @@
+# Add an explicit self-service ACI to allow writing to manage trust attributes
+# for the owner of the object
+dn: cn=users,cn=accounts,$SUFFIX
+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "system:Allow trust agents to read user SMB attributes";allow (read) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "selfservice:Users can manage their SMB attributes";allow (write) userdn = "ldap:///self";)